Ensure that the client respects key expiry in all keyrings but blacklist
Bug #1192717 reported by
Stéphane Graber
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu system image |
Fix Released
|
High
|
Barry Warsaw | ||
system-image (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Subject says it all. If a key in any of the keyrings but the blacklist is expired, it needs to be considered invalid and skipped.
This is likely to happen in 2015 when the image-signing keyring will contain the 2013, 2014 and 2015 signing key and the 2013 will reach its expiry (of 2 years). At this point, any file signed by the 2013 key and not by any of the two others, needs to be considered invalid.
Related branches
Changed in ubuntu-system-image: | |
assignee: | nobody → Barry Warsaw (barry) |
tags: | added: client |
Changed in ubuntu-system-image: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in ubuntu-system-image: | |
importance: | Medium → High |
Changed in ubuntu-system-image: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-system-image: | |
status: | Fix Committed → Fix Released |
Changed in system-image (Ubuntu): | |
status: | New → Fix Released |
To post a comment you must log in.
When downloading anew, all keyring expiry values are checked.
For cached keyrings, I will add checks similar to LP: #1195057, i.e. specifically on the image-master and image-signing keyrings. We don't need to check blacklist or device-signing since these are always downloaded, and we don't need to check archive-master for the same reasons as described in LP: #1195057